Our new F-Droid App Repository (out of date!)

Update: this blog post has been changed to reference our new FDroid repository at https://guardianproject.info/fdroid. If you are still using the old one originally described here which has the URL https://guardianproject.info/repo, you should switch to the new repo as soon as possible!

For all of you out there looking for a safe way to find and download apps outside of the Play Store (aka Android Market) or random, sketchy third-party app stores and file sharing sites, then your wait is over:

The FDroid Repository is an easily-installable catalogue of FOSS applications for the Android platform. The server contains the details of multiple versions of each application, and the Android client makes it easy to browse, install them onto your device, and keep track of updates.

In other words, F-Droid is like an app store for open-source. More importantly, there is not just one “store”. Anyone can deploy their own repositories of apps, or Repos, much like the way the Debian repo model works.

We’ve now begun creating our own hosted F-Droid compliant repo where we can easily provide the latest greatest versions of all our apps. As we update the apps, F-Droid should notify you and allow you to update quickly and without hassle.

Ads are useful for sales but I draw a distinction between passive ads (billboards, magazines, traditional tv, shirts, logos, et al) and aggressive ads which not only look back at you but stalk you in RL and the interweb (third party loaded ad servers, behavioral stalking, false privacy policies, gps breadcrumbs, collating with those you contact, etc) building (collecting, buying, selling) an ever creepier eternal profile on the user that would have made the gestapo drool with lust. The SS would have required everyone to wear google Glass.

Had google not been in the business of stalking users or selling ads there might not have been as large a concern. There are several generations who’ve remained internets newbies. They are raping the culture and increasing the noise to signal ratio of the interweb. You can drive the sheep to water but you can’t make them drink although drowning them is tempting, and waterboarding them out of ignorance more so.

Giving consent does NOT mitigate.

> The .apk file needs to be downloadable to a PC, where it can be checked

The repo could provide hashes of the apk and links to the online tool(s) used to vet content like iseclab’s anubis. You then could generate a hash locally and compare to either resource.

> (all third party interweb ads in app is malware)

Absolutely true! No one can afford the irreparable harm done by using adware. Deliberately providing false information to collection is useful but does nothing to remove the already harvested information.

> F-droid needs to become much much more anti-adware.

I am not pleased with the simple notice in red text on the app info page in the repo client. Plenty of F-droid contributors remove-, null-, or disable the malware [adware, spyware, tracking, logging, unique id harvesting] components. All contributors ought perform this public service

> is now called InTheClear

I’m watching it develop with interest. Please provide an alternative to old fashioned sms texting also other than email.

It is true that malware scanners are helpful, and Google’s Play Services provides a pretty good one, in addition to their own “Bouncer” scanner for the Play Store itself. Luckily, there are other third party scanners like Lookout which can be installed on devices that do not come with Google Play.

So why is it, that in F-Droid, where I’d like to get most of my apps from (rather than the Google Play Store), the latest version of Gibberbot is 0.0.11-RC5 from 06/05/13, while the Google Play Store tells me something about Version 12 and it now being Chatsecure?

Don’t you update the independent Open Source repositories any more, but rather put everything in the Play Store, so that Google knows exactly who is interested in privacy?!? Well, that’s clever, isn’t it?

This whole “project” has obveously been created to either Aid in Data Mining by Government Organizations (NOT A BAD THING, AS I HOPE THIS IS THE CASE), or to Cirucumvent it (although not currently, illegal, in most cases) seems rather unnessesary, immoral, suspicious and un-needed to become Anon on the internet, unless you are either:
1-Super Paranoid
2-Preforming Illegal Activites(or attempting to) w/o detection
3-Part of an Organization that is not supposed to exist (with malicious intents in mind)
4- Are attempting or prepairing a cyber/physical attack, where Anonimity and ID Prevention are essential (unless this is being done by One Gov’t ORG vs Another) this is infact a crime; as to my knowladge there is NO VALID LEGAL REASON TO INITIATE AN ATTACK, as a non-sanctioned Citizen in ANY Country(or ATTEMPT TO).
5- Attempting to Hide Illegal Transfers or Products/Payments
6- Transmission of Illegal Content
7- Set-up of “off the books” P2P meeting to discuss any of ABOVE
8- Attempting to compromise an already established Secure Server
9- Are involved in illegal Espionage (seeing as ACTUAL Clandestine Service Officers, not involved in non-sanctioned actions, are generally protected and Anonomized by their Host Organization, not left to “figure it out on their own”, as this would put not only the Officer/Agent, Their Family and HOST NATION at SEVERE RISK if not done correctly) or are attempting to sell/trade/transfer Illegally Obtained Classified Documents*
*-I do belive there are certain instances where this would infact be needed durring a SANCTIONED OP(e.g. Blown Cover ID, Asset Location, or to “Find a way out”…however, I am almost sure that most if not all Intel communities, have ways to do this on their own that do not involve the use of OPEN-SOURCE SERVICES, as they are infact OPEN to the network of users providing remote access for the service…therfore, NOT ACTUALLY SECURE AMONG USRERS as it would appear that all “shared” connection points are accessable ANY user of the system!!!!)
10- AND FINAL: ARE ATTEMPTING TO CIRCUMVENT CENSORSHIP EMPOSED BY COUNRY OF ORIGIN’S GOVERNMENT (ALSO ILLEGAL)…not nessesarily opposed to this if Countries where you can ACTUALLY be punished for your opintion (and thoughts/word) NOT ILLEGAL ACTIONS.

CASE IN POINT: Posts like “Sobhan Mohammadpour says:
2013/05/20 at 5:48 am
Tor and Fdroid are quite nice in Iran :)”
-seem to indicate the true intent of this “Program” (or atleast that particular userea intentions) and point to the Absurdity of this even being Available to ANYONE.

TO CREATORS AND DEVOLOPERS: PLEASE BE AWARE THAT YOU MAY BE KNOWINGLY OR UN-KNOWINGLY PUTTING THE SAFETY OF MANY NATIONS, INDIVIDUALS, AND ORGANIZATIONS AT RISK, AS WELL AS ARE MOST LIKELY CONTRIBUTING TO THE DISTROBUTION OF ILLEGAL GOODS/SEVICES AROUND THE WORLD AND ONE DAY, THE TARGET MAY YOU OR SOMEONE/SOMETHING YOU ACUALLY CARE ABOUT(ASSUMING THAT YOU ARE A DECENT GROUP OF DEVLOPERS WITH THE BEST INTENTIONS AT HEART)
-I AM NOT SLAMMING/SLANDERING/ATTEMPTING TO DICREDIT YOUR LIFES EFFORST
**Personal Opinion Only**

Ditto ” ” ” ”
what a totally over suspicious oddball that “Concerned” troll is ^^^
Just goes to show some people are so uneducated in the basics that, they instantly presume nefarious or illegal activities.. *rolls eyes*
Clearly, Definitely!! does not have the faintest idea about the legal right to having the freedom of choice to “Secure Intellectual Property” got back to sleep “Concerned” your type of short sighted negativity is not welcome here!

Apps distributed via the official FDroid app repository are signed by a different key than the apps distributed via Google Play or our direct releases page. If you have FDroid installed but installed Orbot from Google Play, then you should set Fdroid to ignore Orbot releases. You can do that from the menu in the Orbot page in FDroid.

There was a bug in the signatures that has been fixed, sorry to hear that you wasted time with it. The latest test versions should “just work” with the repo from this article, and our new debug repo. If it does not just work, please let us know by filing a bug report:

Downloading Privacy apps off Google is fine. Loads of people regularly download privacy apps off Google Play Store. Security experts like myself all advise internet/network users to protect their privacy.

Using privacy protection applications and strategies is a good way to protect against identity theft, phishing and fraud. Using alternate credentials and protecting your privacy is not a crime or does not make you suspicious, rather it helps prevent crime.

I always advise clients not to use their real identity online unless it is completely necessary (like for online Government services), and protect their personal information such as real name, Login name, passwords, email addresses, home address, phone numbers, etc by using Data Protection software (which often is available in AV or firewall software these days).

Users should also use password manager software, and encryption like TrueCrypt for their personal computer storage hard drives, SSDs, USBs, DVDs and backup NAS devices where possible. Also GPG or similar software should be used to secure all personal email. You should have a couple of online email addresses for useless online stuff that will end up getting that email account spammed, or people with poor security practices, out of date or no antivirus/firewall, and that can’t use Bcc or Cc fields correctly.

If you have more than one computer or laptop then you should leave one for personal work and any personal information permanently offline with it’s network disabled and all hard drives and storage encrypted. You can then use your other computer/laptop for online activities. If you use the same internet security software on both systems you can use a secure method to download updates like Tor and save the update files via a sandbox (using something like Sandboxie), then after scanning the update files for Rootkits, Trojans, Viri and other Malware, you can then extract just the update files needed from the Sandbox to a USB device for transferring to your offline system.

Privacy and security is not a criminal act, it’s intelligent and helps you avoid cyber crime and identity or financial theft. The more people understand security and practice good security and privacy techniques, the less victims and income available to cyber criminals.

There are currently two updates that are in the F-Driod repository but not in the Guardians Project’s own repository. They are Orweb 0.5.2 –> Orweb 0.6, and PixelKnot 0.3-RC1 –> PixelKnot 0.3.1. Why are these updates not in the Guardian Project’s own repository? Are they fake?

Yes, those are updates coming from us. I’m not sure about the “Added on” date issue. Another way to double-check is to check the OpenPGP signatures on the APKs. Here is the APK and its OpenPGP signature:

Yes, sometimes it takes a bit longer for us to update our own fdroid repos than we would like. We have a rigorous offline process for generating the repos, while the official FDroid repo does all of its build online, and automatically (for the most part).

The APKs in /releases will always be the latest available from anywhere.

The government is useless as snot. All your data is data mined. The Tor project was funded to stop US gov being data mined as they were stupid enough to teach Al Quida about their intelligence sat network when they dropped 30,0000 militia into Afghanistan to beat the Soviets to the huge gas fields as Iran didn’t want a great gas pipeline running through their country.
Al Quida promptly used old soft drink cans to build their own satellite dishes and captured CIA transmitters to hack back into US intel systems every time they thought they were doing the eavesdropping.

Post 9/11 they knew they had a problem – their crap was p0wn3d! So they took THINTHREAD (NSA mass data mining tool then in development) stripped out the hardware and software component that encrypted all public communications that did not have a proper wiretap warrant, and re-purposed it to collect all communications either internal, exiting, entering or passing through US jurisdiction. This program was then expanded to all US partners to tap all 20 major undersea cables, mobile telephone, sat, radio and other communication systems. This was all done without legal authority and against the express orders of the US Attorney General and against good advice from the US justice committee that it would be illegal. The program kept getting shut down then restarted again using various legal theories, until finally Bush sought approval from congress to try and backdate it’s legality and get a ‘legal’ super warrant that allows all communications to be mined.

So everything is mined. Tor is not bad. Sure they collect everything but it is encrypted and stored until they can break the encryption or you become high priority enough to divert significant resources to. If you use Tor or know how to properly set your browser to use encryption that isn’t NSA backdoor then it makes it much harder for them.

Tor is simple and works, though researchers have been attacking hidden services for FBI and other attempts are made at eavesdropping Tor entry or exit nodes and trying to populate many nodes. The more people that run Tor nodes the better the system works and the harder to eavesdrop. Run good security practices and encrypt everything. Any computer can be broken into if targeted with enough resources or physical access gained, this is why you should keep an interest in all IT security matters and practice good security like not plugging other peoples USB gear or not use a phone or computer at all. Actually I encourage not using smartphones at all as they are very easy to hack and follow, though if you always keep them in ‘airplane mode’ in or near your house, use burner SIMs and a custom ROM with all third party apps removed (Titanium Backup let’s you easily remove third party apps), they are slightly better (also ensure smartphone is encrypted and disable location tracking and install a firewall that allows you to properly configure IPtables). Best smartphone is one in pieces. Get a cheap laptop and run Tails or build your own custom ROM of Debian/GNU. Don’t use the cloud at all.

Learn stuff or die trying. Don’t be an idealist or extremist/fundamentalist/patriot etc. Read books and use internet for learning about intelligent stuff as all those stupid cat videos and images contain rootkits to hack your firmware.

I am being constantly narrated by my so called account security go my in phone mobile apps. My pages on Android never fully load. My settings and apps ‘re always altered or edited . I am being taken advantage of due to my economical low income conditions. I am a 2 year survivor of witnessing first hand how evil and deceitful they are. They continue haccking from outside Google buildings. They have tried hard to smother my use of Android but thanks to F-droid and yourselves The Guardian Project and GitHub ans others. I am still alive and kicking their defeat with this little Android ZTE Concord UK.

Please get with the F-Droid admins to help with transitioning between signing keys when adding a new repo.

For example, I would prefer to use your repository within F-Droid for downloading/installing GuardianProject software and apps. Unfortunately, since I’ve already installed most of these apps through the normal F-Droid repo, the applications have been signed with different keys.

It would be convenient to be able to ‘verify’ the integrity of a new signer, and have that new signer be the governing signer, replacing the previous.

Orbot on my android can not protect few sites to access I tap app button but same result & tap on Bridge button & requested recommended by app (4) via email but never recive any reply to requested one by mail the question is that can I solve my problem for full protection my andriod or not, please note I’m from Iran.
Thanks & Best Regards

I can’t seem to find many of the apps mentioned on GuardianProject.info on F-Droid, only on Google Play? There are lots of great apps on F-Droid, it’s just that the Guardian Project ones look the most useful.

While some of our apps are on F-Droid.org, we have our own F-Droid repository here https://guardianproject.info/fdroid. Also, in the F-Droid app, our repository is built-in, but you must enabled it first.